Friday, December 13, 2013

Having Splunk wrap long fields

Splunk generally does a good job of autosizing column widths in dashboard panels. One of the things that sort of bugs me though is when you want to display just a few fields in a Splunk dashboard panel but the length of one or two values in a field push downstream fields off to the side requiring you to do some horizontal scrolling. I ran across a relatively old post on the Splunk boards addressing this issue (here).

I figure though if you are going to pass something via a macro why limit yourself to a static character limit. Paste the following into an appropriate macros.conf file. The first argument is the field you want to wrap (eg., email message string) and the second is the string length you want the string to be/split on.

[line_breaker(2)]
args = field,len
definition = rex max_match=100 field="$field$" "(?<split__regex>.{0,$len$}(?:\s|$)|[^\s]+)" | rename split__regex as "$field$"